A certain VPN connectivity client was trying to be helpful, automatically selecting an authentication certificate from the user's smart card. However, the smart card also contained an expired certificate for the same account. The VPN client chose it for some unknown reason.
Everything (including document downloads) worked until WopiFrame.aspx/ExcelViewer.aspx/WordViewer.aspx/WordViewerFrame.aspx were requested with this authentication credential. These page requests consistently resulted in removing individual permissions (role assignments) and UserInfo entries.
Now that we've found the cause, the user can work just fine with login/password or a non-expired certificate.
This looks very creepy. The Office Online Server team should definitely review the security implications.
Looking forward to a CU for this problem.